CVE-2007-3382 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3382): Apache Tomcat 6.0.0 to 6.0.13, 5.5.0 to 5.5.24, 5.0.0 to 5.0.30, 4.1.0 to 4.1.36, and 3.3 to 3.3.2 treats single quotes ("'") as delimiters in cookies, which might cause sensitive information such as session IDs to be leaked and allow remote attackers to conduct session hijacking attacks. CVE-2007-3385 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3385): Apache Tomcat 6.0.0 to 6.0.13, 5.5.0 to 5.5.24, 5.0.0 to 5.0.30, 4.1.0 to 4.1.36, and 3.3 to 3.3.2 does not properly handle the \" character sequence in a cookie value, which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks.
*** Bug 195563 has been marked as a duplicate of this bug. ***
Sorry for rudely closing the other bug. Arches, please test and mark stable www-servers/tomcat-5.5.25 and its deps: dev-java/eclipse-ecj-3.3.0-r1 dev-java/tomcat-servlet-api-5.5.25 Target keywords are: "amd64 x86 ~x86-fbsd"
amd64 stable
x86 stable, last arch, open for GLSA vote
Adding BSD back, your KEYWORD is missing. Anyway, GLSA vote is still valid.
Added our keyword back. Next time a bsd keyword gets dropped please say so on the bug as we automatically remove ourselves on stable requests as we have no stable keyword at this time.
I tend to vote NO.
I vote NO.
Voting no and closing. Feel free to reopen if you disagree.